5 First Principles for Your Incident Response Plan
Today, organizations rely heavily on the IT systems for their day to day business operations. Regardless of how big or small the business is, it is vital to secure these systems and their data. With the inherent complexities of these IT systems and networks, they become vulnerable to attacks. This makes it vital for any business to prepare a solid incident response plan and continuously improve it to be highly effective.
“By failing to prepare, you are preparing to fail.” ― Benjamin Franklin, Founding Father of the United States
In a nutshell, incident response plan provides the strategy and basic set of instructions to detect and prevent any future threats, reduce the risks and recover if any such incident happens. If you are yet to create your incident response plan, you can find detailed steps in SANS Institute’s Incident Handlers Handbook.
This article focuses on 5 tweaks, which will make your incident response plan more effective.
1. Keep the plan simple
When an incident happens, it affects the mental states of everyone affected. Depending on the gravity of the incident, the adverse effect of this could worsen. At these times, complex procedures and plans are likely to fail. It is also important that the plan provides a decent amount of flexibility to adjust. If it is rigid, the plan needs to describe all the possibilities which would make it more complex.
Overall, keeping the incident response plan simple provides several key advantages.
- Easy to remember the plan, which makes actioning faster.
- Less prone to mistakes.
- Fewer points of contacts and interactions, which avoids potential communication bottlenecks.
Therefore, it is extremely important to keep the incident response plan simple for an efficient security operations center.
2. Make sure everyone trust the plan and understand the objectives
Although it is a part of the incident plan to provide the instructions to carry out preparation activities, this solves only part of the problem. Unless all the stakeholders trust the plan and believe in it for guidance, it is difficult for the successful execution of the plan. Therefore it is important to get the involvement of these stakeholders to prepare the incident response plan. This activity will not only improve the understanding but also is capable of building the trust.
If we are being realistic, it is likely that there are gaps between what defined in the plan and the actual execution after an incident.
On the other hand, knowing the purpose (or objective) of the plan is also important. This empowers the teams to be more agile and make decisions even if a particular instruction is not directly available in the incident response plan, meeting the objectives.
3. Having the right balance in sharing authorities
When it comes to the execution of an incident response plan, it is vital to balance the degree of centralization of the authority delegated to the lowest level.
“Centralization is said to be a process where the concentration of decision making is in a few hands.”
Although there are numerous advantages in centralizing the authorities, it could also lead to a single point of failure. This is why sharing of the authorities is needed. By granting the right balance of authority for incident response plan execution, it would empower the ability to execute without further delays and reduce the risk of a single point of failure.
Let’s take an example of a server compromise. Let’s say that an IT Support Engineer has detected malicious network access from a server within the network. If he is having the authority of temporarily shutting down the server, he could reduce the potential risk of spreading of the attack. If he needs to get permission from the owner of that particular server and the head in IT before taking any decision, precious time is wasted which could be used to reduce the impact of the attack.
4. Better prepared communication channels
It is important to have well-defined communication points in place in the incident response plan. All the stakeholders should be able to answer the question, “who should I inform if a particular incident happens”, and “what is the communication channel”.
It is also important to know that, there could be a potential impact on the communication channels from the incident itself. This needs to be taken into account when preparing the incident response plan.
In addition to this, the incident response plan should provide the guidance and the details of which information that are allowed to be communicated across and to whom.
As an example, the slightest mistake in communicating a data breach to customers could impact the business brand value significantly unless done with preparation.
5. Build the trust established environment
One thing we all needs to understand is attacks do happen where various vulnerabilities being exploited. Some of these could potentially due to genuine mistakes from employees. This is where we need to build trust with the stakeholders to escalate these issues, rather than hiding them under the carpet.
It is also important that the organization culture empowers people to do the right thing.
This is one of the toughest challenges to battle without having the right environment and core values within the organization. If the organization has the habit of penalizing for mistakes, this creates resistance for escalations and reporting any incidents. This could create a significant impact on the incident response plan executions.
Therefore it is important to encourage people towards reporting the incidents even if it happened due to a genuine mistake by themselves.